Linux Keylogger Proof of Concept

I’ve just read ‘The Linux Security Circus: On GUI isolation’

It struck me that a linux keylogger is perfectly easy to write – I had previously (naïvely) thought such a program would only work given root permissions.

Alas! It’s stupidly easy.

see result of 30 minutes of hacking

The code simply calls xinput test [id of keyboard device] and parses out the keycodes. The id of your keyboard device can be found from the device listing given by xinput list.

Advertisements
Linux Keylogger Proof of Concept

8 thoughts on “Linux Keylogger Proof of Concept

    1. jebavarde says:

      that’s sad :(

      I’ll try and confirm it still works for me (Archlinux) upon getting home (work computer = windows). Could be some variance in the X setup.

    2. jebavarde says:

      I got round to looking at this. The only thing I can think of is that your keyboard device has a different id – mine varies somewhat from boot to boot.

      change line 31:
      logger = Popen(“xinput test 9”, shell=True, bufsize=1, stdout=PIPE).stdout

      to
      logger = Popen(“xinput test [YOUR DEVICE ID]”, shell=True, bufsize=1, stdout=PIPE).stdout

  1. This is strange :

    xinput test 11

    works and show the key pressed on stdout, but I cannot “pipe” stdout into another program :

    xinput test 11 | cat

    does not show anything.

    I have the same problem with your python app.

    1. jebavarde says:

      I’d experiment with different IDs. Strangely now on my system the id that works is 10
      try

      xinput list

      the line corresponding to the id that works on my system is

      AT Translated Set 2 keyboard id=10 [slave keyboard (3)]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s